SECURITY THREATS AND BENEFITS OF CLOUD COMPUTING TRANSITIONING TO A NEW WAY OF DOING BUSINESS

SECURITY THREATS AND BENEFITS OF CLOUD COMPUTING

TRANSITIONING TO A NEW WAY OF DOING BUSINESS

Subramanian Anbazhagan

, Dr. K. Somasundaram

1

Department of Computer Science and Engineering, Karpagam University, Coimbatore.

Email: [email protected]

2

Department of Computer Science and Engineering, Jaya Engineering College, Chennai.

Email: [email protected]

Abstract Cloud computing provides a new environment that enables organizations to leverage emerging technologies that address growing business challenges and to position their companies to be more competitive in a cost-effective manner. Cloud Computing is a way of providing and consuming IT Services. Cloud computing constitutes the biggest IT advancements rent in years and touches on just about every facet of the enterprise. Topics can include development platforms, software/applications, service level agreements, enterprise security, outsourcing, Big Data, storage, Shadow IT, compliance and governance. Cloud computing is currently the most over-hyped and least understood technological innovation since the advent of the Internet. The latter tremendously impacted businesses of all sizes globally, and the former has the potential to similarly and dramatically transform the business and economics of IT over the next few years. The cloud is enabling new ways for IT to operate and is helping organizations to define a new, more collaborative relationship between IT and the business. Increasingly, IT leaders view cloud computing as a catalyst for change and are using it for IT or business transformation. The concept of cloud computing creates new challenges for security, because sensitive data may no longer reside on dedicated hardware. On the contrary, there are also potential security benefits of Cloud Computing.

Keywords: Cloud Computing, Cloud security, Security Threats, Cloud Encryption, Cloud Services.

1. INTRODUCTION

The European Network and Information Security Agency (ENISA) define cloud computing as “an on-demand service model for IT provision, often based on virtualization and distributed computing technologies.”It says that cloud computing architectures have highly abstracted resources, near-instant scalability and flexibility, nearly instantaneous provisioning, shared resources, service on demand, and programmatic management.

The US National Institute of Standards and Technology (NIST) have also published a cloud definition, which it has submitted as the US contribution for an international Standard.

As cloud computing expands rapidly, its security’s nuances are becoming more evident. In a recent Prism

dicated that their biggest fear is that the hypervisor, a program allowing multiple OSs to share a single host, can and will create an entry point into multiple machines. More than half the respondents also believe that vir-tualization will create a new layer that could be attacked and that the proliferation of virtualized environments will reduce security visibility. Even though the respondents admitted these concerns, 58 percent of them admitted that they’re implementing traditional security solutions to provide virtual security. This mind-set is creating opportunities for attack. This revelation, although not surprising, demonstrates the security challenges inherent in public-cloud computing and virtualization.

This work aims to focus on problems associated with security of clouds and also analyze the security benefits of cloud computing. This paper is structured as follows: section 2 provides the review of relevant literature, section 3 provides the detailed study of the encryption technologies associated with cloud computing, section 4 provides the cloud computing threats and benefits, and section 5 discusses proposed work and section 6 concludes the paper.

2. RELATED LITERATURE

2.1 CLOUD ARCHITECTURES

Cloud computing architecture is divided into two sections:

1. The front end 2. The back end.

They connect to each other through a network usually called the Internet. The front end includes the client’s computer (or computer network) and the application required to access the cloud computing system. On the back end of the system are the various computers, servers and the data storage systems that create the cloud of the computing services. A central server administers the system, monitoring traffic and client demands to ensure everything runs smoothly. It follows a set of rules called protocols and uses a special kind of software called middleware. Middleware allows networked computers to communicate with each other. Figure 1 shows the cloud computing architecture.

Fig.1.Cloud Computing Architecture

2.2 CLOUD COMPUTING SERVICES

The architecture of Cloud computing can be categorized according to the three types of service models, namely 1.Infrastructure as a service (IaaS), 2.Software as a service (SaaS) and 3.Platform as a service (PaaS). It is shown in figure 2.

2.2.1 Infrastructure As A Service (IAAS):

Infrastructure as a Service is a way of delivering Cloud Computing infrastructure–servers, storage, network and operating systems – as an on-demand service. Rather than purchasing servers, software, data Centre space or network equipment, clients instead buy those resources as a fully outsourced service on demand.

2.2.2 Software As A Service (SAAS):

SaaS model offers the service as an application to the consumer using standard interfaces. These services run on top of cloud infrastructure and consumer cannot see. The software as a service which provides software and application, and manages on demand user software requirement and cloud provider manages applications, operating system and infrastructure. SaaS provides the services according to user requirement

2.2.3 Platform As A Service (PAAS):

Platform as a service provides a platform for any type of application and brings the benefits that SaaS bought for applications, the platform as a service offers as an operational development platform for consumer. PaaS can be defined as a computing platform that allows the creation of web applications quickly and easily and without the complexity of buying and maintaining the

software and infrastructure underneath it. Clients are provided platform access, which enables them to put their own customized software’s and other applications on the clouds.

Fig.2.Cloud Services

2.3 TYPES OF CLOUD

In providing a secure Cloud computing solution, a major decision is to decide on the type of cloud to be implemented. Currently there are three types of cloud deployment models offered, namely, 1.Public, 2. private and 3.hybrid cloud. These, together with their security implications will be discussed below. Cloud models are shown in figure 3.

2.3.1 Public Cloud:

Public cloud is based on mainstream and we can say cloud resources shared outside there are no restrictions anyone can use it.

2.3.2 Private Cloud:

The private cloud is that there are limited no of resources to use for people and it is used in any organization.

2.3.3 Hybrid Cloud:

The concept of hybrid cloud is a collection of public and private cloud. Hybrid cloud like a private cloud is linked to one or more services.

3. ENCRYPTION TECHNOLOGIES FOR

CLOUD COMPUTING

In cloud computing, it is frequent for the entities to communicate manually. To achieve the security in the communication, it is important to impose an encryption and signature schemes. Therefore, the following encryption techniques are proposed:

Linear Search Algorithm

In the Linear Search algorithm, a symmetric encryption algorithm is used to encrypt the plain text. For the cipher text of each keyword under symmetric encryption scheme, a pseudo-random sequence is generated with a length less than that of the cipher text. Meanwhile, a check sequence is generated with a length less than that of the cipher text. The pseudo random check sequence equals the length of the cipher text. Finally, the pseudo random sequence and the check sequence equal the length of the cipher text again by modulo 2 addition. When searching, a user submits the cipher text sequence under symmetric encryption schemes. On the server side, modulo 2 additions with each sequence is performed. If the result satisfy the checking, the sequence is the encryption of the cipher text; otherwise, the sequence is not encryption of the cipher text.

Identity Based Signature

An identity based signature scheme is deterministic if the signature on a message by the same user is always the same. The framework of identity based signature scheme consists of algorithms described below:

Setup: The Private Key Generator (PKG) provides the security parameter as the input to this algorithm, generates the systems parameters and the master private key.

Extract: The user provides his identity ID to the PKG. the PKG runs this algorithm with identity ID, parameters and master private key as the input and obtain the private key D. the private key D is sent to user through a secure channel.

Sign: For generating a signature on a message m, the user provides his identity ID, his private key D, parameters and the message m as input. This algorithm generates a valid signature on message m by the user.

Verify: This algorithm on input a signature on message m by the user with Identity ID, parameters, checks whether signature is valid on message m by ID.

Homomorphic Encryption

Homomorphic encryption alludes to encryption where plain texts and cipher texts both are treated with an equivalent algebraic function. Now the plain text and cipher text might also be not related but the emphasis is on the algebraic operation that works on both of them.

Structured Encryption: A structured encryption scheme encrypts structured data in such a way that it can be queried through the use of a query-specific token that can only be generated with knowledge of the secret key. In addition, the query process reveals no useful information about either the query or the data. An important consideration in this context is the efficiency of the query operation on the server side.

Public Key Encryption with Keyword Search

A Public Key Encryption with Keyword Search (PEKS) scheme consists of four polynomial time algorithms:

KeyGen: Take a input a security parameter and generate a public/private key pair (pk, sk).

Trapdoor: Take as input the receiver’s private key sk and a word W, produce a trapdoor Tw.

PEKS: Take as input the receiver’s public key pk and word W, produce a searchable encryption of W.

Test: Take as input the receiver’s public key pk, a searchable encryption C=PEKS (pk,W).

Attribute Based Encryption (ABE)

In ABE, the attributes and policies associated with the message and the user decides which user can decrypt a cipher text. A central authority will create secret keys for the users based on attributes/policies for each user.

Cipher text policy in ABE:

Users in the system have attributes; receives a key (“or key bundle”) from an authority for its set of attributes. Cipher text contains a policy (a Boolean predicate over the attribute space). If a user’s attribute set satisfies the policy, can use its key bundle to decrypt the cipher text. Multiple users cannot pool their attributes together.

3.1 CLOUD SECURITY THROUGH KEY

AGREEMENT

In order to effectively manage and control the use of cloud technology in an organization, business and strategic decision makers need to begin with assessing the potential impact of Cloud computing on their competitive edge. So it is necessary to build up proper security for cloud implementation. This protocol enables two users to establish a secret key using a public-key scheme based on discrete logarithms. The protocol is secure only if the authenticity of the two participants can be established and

provides cloud computing security through secret key using a public-key scheme.

Asymmetric-key algorithms are those algorithms that use different keys for encryption and decryption. The two keys are: Private Key and Public Key. The Public key is used by the sender for encryption and the private key is used for decryption of data by the receiver. In cloud computing asymmetric-key algorithms are used to generate keys for encryption. The most common asymmetric-key algorithms for cloud are: RSA, IKE, and Diffie-Helman Key Exchange.

In 1976, Whitfield Diffie and Martin Hellman introduced a key exchange protocol with the use of the discrete logarithm problem. In this protocol sender and receiver will set up a secret key to their symmetric key system, using an insecure channel. To set up a key Alice chooses a random integer a [1; n] computes ga, similarly Bob computes gb for random b [1; n] and sends it to Alice. The secret key is gab, which Alice computes by computing (gb) a and Bob by computing (ga)b. The important concepts on which the security of the Diffie-Hellman key exchange protocol depends are:

Discrete Logarithm Problem (DLP): If from g and

ga Eve, an adversary can compute a, then he can compute gab and the scheme is broken.

Diffie-Hellman Problem (DHP): If from given the

information g, ga and gb with or without solving the discrete logarithm problem, Eve can compute gab then the protocol is broken. It is still an open problem if DHP is equivalent to DLP.

Decision Diffie-Hellman Problem (DDH): If we

are given g; ga; gb and gc, DDH is to answer the question, deterministically or probabilistically, Is ab = c mod n?

3.2

CLOUD SECURITY THROUGH

SYMMETRIC CIPHER MODEL

Symmetric-key cryptography refers to encryption methods in which both the sender and receiver share the same key. It is important to note that security of depends encryption on the secrecy of the key, not the secrecy of algorithm. We do not need to keep the algorithm secrecy; we need to keep only the secrecy key.

In symmetric key algorithm, the encryption and decryption keys are known to both Alice and Bob. For example the encryption key is shared and the decryption key is easily calculated from it. In many cases the encryption key and the decryption key are the same. All of the classical (pre-1970) cryptosystems are symmetric.

The modern study of symmetric-key ciphers relates mainly to the study of block ciphers, stream ciphers and application of hash function.

3.3

SYMMETRIC KEY ENCRYPTION

ALGORITHMS USED IN CLOUD

The most important type of the encryption is the symmetric key encryption. Symmetric-key algorithms are those algorithms which use the same key for both encryption and decryption. Hence the key is kept secret. Symmetric algorithms have the advantage of not consuming too much of computing power and it works with high speed in encryption. Symmetric-key algorithms are divided into two types: Block cipher and Stream cipher. In block cipher input is taken as a block of plaintext of fixed size depending on the type of a symmetric encryption algorithm, key of fixed size is applied on to block of plain text and then the output block of the same size as the block of plaintext is obtained. In Case of stream cipher one bit at a time is encrypted. Some popular Symmetric-key algorithms used in cloud computing includes: Data Encryption Standard (DES), Triple-DES, and Advanced Encryption Standard (AES). 3.3.1 AES Algorithms:

Advanced Encryption Standard is a symmetric- key block cipher published as FIPS-197 in the Federal Register in December 2001 by the National Institute of Standards and Technology (NIST). AES is anon-Feistel cipher. AES encrypts data with block size of 128-bits. It uses 10, 12, or fourteen rounds. Depending on the number of rounds, the key size may be 128, 192, or 256 bits. AES operates on a 4×4 column-major order matrix of bytes, known as the state.

3.3.2 Blowfish Algorithm:

Blowfish is a symmetric block cipher algorithm. It uses the same secret key to both encryption and decryption of messages. The block size for Blowfish is 64 bits; messages that aren't a multiple of 64-bits in size have to be padded. It uses a variable –length key, from 32 bits to 448 bits. It is appropriate for applications where the key is not changed frequently. It is considerably faster than most encryption algorithms when executed in 32-bit microprocessors with huge data caches. Data encryption happens via a 16-roundFeistel network.

3.4 CLOUD COMPUTING ENCRYPTION

METHODOLOGIES

Cloud security is built around encryption methodologies. These are of three kinds: hashing encryption, symmetric cryptography, and asymmetric cryptography.

Hashing: This method uses a unique, fixed length

signature to encrypt a data set. The hash is created using a hash function or an algorithm and each hash is compared with other hash sets to verify uniqueness of the data set. Since a small change in the data will result in the generation of a new hash, the data owner will be alerted to any security breaches that may have occurred.

Symmetric Encryption: Up to this point in the

discussion, every method of encryption requires a special secret key to be previously and securely established. This is the nature of symmetric key encryption. A symmetric key, sometimes called private-key, encryption cipher is any algorithm in which the key for encryption is trivially related to the key used for decryption. An analogy of this is a typical mechanical lock. The same key that engages the lock can disengage it. To protect anything valuable behind the lock, the key must be given to each member securely. If an unintended person obtains access to the key, he or she will have full access to what is being secured by the lock.

Asymmetric encryption: The digital era of the 1970's

caused a need for an encryption system that would rely on a predetermined key. Cryptographers of this era realized that in order to send a message securely without previously meeting with the recipient, they would need a system that uses a different key for encryption than it does for decryption. In comparison with symmetric key encryption, this system would compare to a lock that has one key for engaging the lock and a different key for disengaging the lock.

4. THREATS AND BENEFITS

4.1 THREATS

Cloud computing faces just as much security threats that are currently found in the existing computing platforms, networks, intranets, internets in enterprises. These threats, risk vulnerabilities come in various forms. The Cloud Security Alliance (Cloud Computing Alliance, 2010) did a research on the threats facing cloud computing and it identified the following seven major threats:

1. Abuse and Nefarious Use of Cloud Computing 2. Insecure Application Programming Interfaces 3. Malicious Insiders

4. Shared Technology Vulnerabilities 5. Data Loss/Leakage

6. Account, Service & Traffic Hijacking 7. Unknown Risk Profile

4.2 BENEFITS

Cloud computing is no doubt a fantastic technology and continues to grow in popularity and more and more companies are investing in a cloud for their company. Cloud computing present’s business organizations with a fundamentally different model of operation, one that takes advantage of the maturity of web applications and networks and the rising interoperability of computing systems to provide IT services. Cloud providers specialize

in particular applications and services, and this expertise allows them to efficiently manage upgrades and maintenance, backups, disaster recovery, and failover functions. As a result, consumers of cloud services may see increased reliability, even as costs decline due to economies of scale and other production factors. Other advantages include reduced costs as resources are shared and re-used within the cloud.

Reduced Cost: Cloud technology is paid incrementally,

saving organizations money.

Increased Storage: Organizations can store more data

than on private computer systems.

Highly Automated: No longer do IT personnel need to

worry about keeping software up to date.

Flexibility: Cloud computing offers much more flexibility

than past computing methods.

More Mobility: Employees can access information

wherever they are, rather than having to remain at their desks.

Allows IT to Shift Focus: No longer having to worry

about constant server updates and other computing issues, government Organizations will be free to concentrate on innovation.

5. PROPOSED WORK

The aim of the research is to establish a strong trust between all the parties involved and provide the ultimate comfort level to host the applications at the cloud service providers’ premises. A trust based protocol is proposed to be developed to address the three primary security requirements of cloud computing models, namely, confidentiality, integrity and availability.

The key barricades to the firm adaption of cloud computing are the security and privacy issues. Though a broadly acknowledged nomenclature of cloud computing has been recommended by NIST (National Institute of Standards and Technology), cloud is an eventual accretion of virtualization. The intention, enactment and placement of virtualization know-hows up to the cloud have unwrapped novel extortions and security issues. The end-to-end solitude, assertion and trust in cloud centered designs need to be addressed effectively. It is targeted to analyze the top cloud computing threats and their proposed solutions and to propose models for reputation guided protection for cloud computing environments.

6. CONCLUSION

Although Cloud computing can be seen as a new phenomenon which is set to revolutionize the way we use the Internet, there is much to be cautious about. There are many new technologies emerging at a rapid rate, each with technological advancements and with the potential of

making human’s lives easier. However one must be very careful to understand the limitations and security risks posed in utilizing these technologies. Cloud computing is no exception. In this paper, an extensive review had been done on cloud architecture, cloud computing services, types of clouds, encryption algorithms used in clouds, encryption technologies and methodologies for cloud computing, cloud computing threats and security benefits. This would assist the organizations to make an informed decision before moving into cloud technologies.

REFERENCES

[1]. 167801100/security/news/240146276/cloud-s-privileged-identity-gapintensifies-insider-threats.html. [2]. 2010 State of Virtualization Security Survey, Prism Microsystems, Apr. 2010; www.prismmicrosys.com/ documents/VirtualizationSecuritySurvey2010.pdf.

[3]. 232900809/insecure-api-implementations-threaten-cloud.html

[4]. Armbrust M, Fox A, Griffith R, Joseph D A, Katz H R, Konwinski A, Lee Gunho, Patterson A D, Rabkin A, Stoica A, Zaharia M, (2009),Above the clouds: A Berkeley view of Cloud Computing, UC BerkeleyEECS, Feb 2010

[5]. Balachandra R K, Ramakrishna P V, Dr. Rakshit A, ‘Cloud Security Issues’, 2009 IEEE International Conference on Services Computing, pp 517-520.

[6]. CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013.

[7]. Cloud Security Alliance Web site,http://www.cloudsecurityalliance.org/

[8]. Gartner "User Survey Analysis: Impact of Mobile devices on Network and Data Center Infrastructure".2012 [9]. Gens F, 2009,’ New IDC IT Cloud Services Survey: Top Benefits and Challenges’,IDCeXchange, from <http://blogs.idc.com/ie/?p=730>.

[10]. Global NetoptexIncorporated , 2009, Demystifying the cloud. Important opportunities, crucial choices, http://www.gni.com, pp 4-14. [11]. http://www.darkreading.com/cloud-security/167901092/security/applicationsecurity/ [12]. http://www.darkreading.com/insiderthreat/ [13]. http://www.infoworld.com/d/cloud- computing/cloud-use-grows-so-will-rateof-ddos-attacks-211876. [14]. http://www.securstore.com/blog/symmetric-key-encryption-for-cloud-computing/

[15]. Infoworld.com TechWatch Blog

[16]. InfoWorld/CSA, Ted Samson ,"Data breaches and cloud service abuse rank among the greatest cloud security threats, according to Cloud Security Alliance" [17]. Leavitt N, 2009, ‘Is Cloud Computing Really Ready for Prime Time?’, Computer, Vol. 42, pp. 15-20, 2009. [18]. Mell P. and Grance T., “The NIST Definition of Cloud Computing,” ver. 15, US Nat’l Inst. of Standards and Technology, 7 Oct. 2009; http://csrc.nist.gov/groups/ SNS/cloud-computing/cloud-def-v15.doc.

[19]. Neepa Shah and Chetna Patel “CONSIDERING

THE CLOUD COMPUTING TECHNOLOGY"INCON13-IT-069.

http://www.securstore.com/blog/is-the-future-of-the-cloud-cloudy/

[20]. Securstore blogs

[21]. Weinhardt C, Anandasivam A, Blau B, and Stosser J, ‘Business Models in the Service World’, IT Professional, vol. 11, pp. 28-33, 2009.

AUTHOR

Subramanian Anbazhagan has more than twenty years of professional experience in the IT industry. He did his Bachelor of Computer Science and Engineering from College of Engineering, Guindy, Anna University, India and completed his Masters in Software Engineering from National University of Singapore. He also holds an MBA degree in Finance. As an IT consultant, he had provided consultancy services to various companies in the manufacturing, health care and cosmetics, government services, private and public sector industries like SPIC Ltd, Procter & Gamble (Singapore), Enameled Wire & Cable (Singapore), Singapore Computer Systems, Singapore Police Force and Singapore Civil Defense Force.

Dr.K.Somasundaram, Research Guide (Karpagam University), is a Professor with the Department of Computer Science and Engineering, Jaya Engineering College, Thiruvallur, Tamilnadu.